On 01/08/14 14:41, Rafaël Carré wrote: > On 08/01/14 13:57, Luca Barbato wrote: >> On 01/08/14 13:41, [email protected] wrote: >>> From: Michael Niedermayer <[email protected]> >>> >>> Prevents out of array writes >>> Addresses: CVE-2014-2263 >>> --- >>> libavformat/mpegtsenc.c | 9 +++++++-- >>> 1 file changed, 7 insertions(+), 2 deletions(-) >> >> This is an encoder, it means that the data buffer is smaller than you'd >> expect. >> >> 1012 is a random number or there is a specification mandating that? > > section[1024] - 4 /* crc */ - 8 /* PSI section header */ > in mpegts_write_section1 > > section length including header can not be over 1024, per > H222 2.4.4.7
so PSI_SECTION_HEADER 1012 (1024 - crc - ???) > I agree it should be documented / defined Indeed, now the question pending is how we can overflow it and how to notify the user when it happens. lu _______________________________________________ libav-devel mailing list [email protected] https://lists.libav.org/mailman/listinfo/libav-devel
